drivers/tee/qcomtee/mem_obj.c - linux/kernel/git/torvalds/linux.git - Git at Google

 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
  */

 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

 #include <linux/firmware/qcom/qcom_scm.h>
 #include <linux/mm.h>

 #include "qcomtee.h"

 /**
  * DOC: Memory and Mapping Objects
  *
  * QTEE uses memory objects for memory sharing with Linux.
  * A memory object can be a standard dma_buf or a contiguous memory range,
  * e.g., tee_shm. A memory object should support one operation: map. When
  * invoked by QTEE, a mapping object is generated. A mapping object supports
  * one operation: unmap.
  *
  *  (1) To map a memory object, QTEE invokes the primordial object with
  *      %QCOMTEE_OBJECT_OP_MAP_REGION operation; see
  *      qcomtee_primordial_obj_dispatch().
  *  (2) To unmap a memory object, QTEE releases the mapping object which
  *      calls qcomtee_mem_object_release().
  *
  * The map operation is implemented in the primordial object as a privileged
  * operation instead of qcomtee_mem_object_dispatch(). Otherwise, on
  * platforms without shm_bridge, a user can trick QTEE into writing to the
  * kernel memory by passing a user object as a memory object and returning a
  * random physical address as the result of the mapping request.
  */

 struct qcomtee_mem_object {
 	struct qcomtee_object object;
 	struct tee_shm *shm;
 	/* QTEE requires these felids to be page aligned. */
 	phys_addr_t paddr; /* Physical address of range. */
 	size_t size; /* Size of the range. */
 };

 #define to_qcomtee_mem_object(o) \
 	container_of((o), struct qcomtee_mem_object, object)

 static struct qcomtee_object_operations qcomtee_mem_object_ops;

 /* Is it a memory object using tee_shm? */
 int is_qcomtee_memobj_object(struct qcomtee_object *object)
 {
 	return object != NULL_QCOMTEE_OBJECT &&
 	       typeof_qcomtee_object(object) == QCOMTEE_OBJECT_TYPE_CB &&
 	       object->ops == &qcomtee_mem_object_ops;
 }

 static int qcomtee_mem_object_dispatch(struct qcomtee_object_invoke_ctx *oic,
 				       struct qcomtee_object *object, u32 op,
 				       struct qcomtee_arg *args)
 {
 	return -EINVAL;
 }

 static void qcomtee_mem_object_release(struct qcomtee_object *object)
 {
 	struct qcomtee_mem_object *mem_object = to_qcomtee_mem_object(object);

 	/* Matching get is in qcomtee_memobj_param_to_object(). */
 	tee_shm_put(mem_object->shm);
 	kfree(mem_object);
 }

 static struct qcomtee_object_operations qcomtee_mem_object_ops = {
 	.release = qcomtee_mem_object_release,
 	.dispatch = qcomtee_mem_object_dispatch,
 };

 /**
  * qcomtee_memobj_param_to_object() - OBJREF parameter to &struct qcomtee_object.
  * @object: object returned.
  * @param: TEE parameter.
  * @ctx: context in which the conversion should happen.
  *
  * @param is an OBJREF with %QCOMTEE_OBJREF_FLAG_MEM flags.
  *
  * Return: On success return 0 or <0 on failure.
  */
 int qcomtee_memobj_param_to_object(struct qcomtee_object **object,
 				   struct tee_param *param,
 				   struct tee_context *ctx)
 {
 	struct qcomtee_mem_object *mem_object __free(kfree) = NULL;
 	struct tee_shm *shm;
 	int err;

 	mem_object = kzalloc(sizeof(*mem_object), GFP_KERNEL);
 	if (!mem_object)
 		return -ENOMEM;

 	shm = tee_shm_get_from_id(ctx, param->u.objref.id);
 	if (IS_ERR(shm))
 		return PTR_ERR(shm);

 	/* mem-object wrapping the memref. */
 	err = qcomtee_object_user_init(&mem_object->object,
 				       QCOMTEE_OBJECT_TYPE_CB,
 				       &qcomtee_mem_object_ops, "tee-shm-%d",
 				       shm->id);
 	if (err) {
 		tee_shm_put(shm);

 		return err;
 	}

 	mem_object->paddr = shm->paddr;
 	mem_object->size = shm->size;
 	mem_object->shm = shm;

 	*object = &no_free_ptr(mem_object)->object;

 	return 0;
 }

 /* Reverse what qcomtee_memobj_param_to_object() does. */
 int qcomtee_memobj_param_from_object(struct tee_param *param,
 				     struct qcomtee_object *object,
 				     struct tee_context *ctx)
 {
 	struct qcomtee_mem_object *mem_object;

 	mem_object = to_qcomtee_mem_object(object);
 	/* Sure if the memobj is in a same context it is originated from. */
 	if (mem_object->shm->ctx != ctx)
 		return -EINVAL;

 	param->u.objref.id = mem_object->shm->id;
 	param->u.objref.flags = QCOMTEE_OBJREF_FLAG_MEM;

 	/* Passing shm->id to userspace; drop the reference. */
 	qcomtee_object_put(object);

 	return 0;
 }

 /**
  * qcomtee_mem_object_map() - Map a memory object.
  * @object: memory object.
  * @map_object: created mapping object.
  * @mem_paddr: physical address of the memory.
  * @mem_size: size of the memory.
  * @perms: QTEE access permissions.
  *
  * Return: On success return 0 or <0 on failure.
  */
 int qcomtee_mem_object_map(struct qcomtee_object *object,
 			   struct qcomtee_object **map_object, u64 *mem_paddr,
 			   u64 *mem_size, u32 *perms)
 {
 	struct qcomtee_mem_object *mem_object = to_qcomtee_mem_object(object);

 	/* Reuses the memory object as a mapping object by re-sharing it. */
 	qcomtee_object_get(&mem_object->object);

 	*map_object = &mem_object->object;
 	*mem_paddr = mem_object->paddr;
 	*mem_size = mem_object->size;
 	*perms = QCOM_SCM_PERM_RW;

 	return 0;
 }
	// SPDX-License-Identifier: GPL-2.0-only
	/*
	* Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
	*/

	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

	#include <linux/firmware/qcom/qcom_scm.h>
	#include <linux/mm.h>

	#include "qcomtee.h"

	/**
	* DOC: Memory and Mapping Objects
	*
	* QTEE uses memory objects for memory sharing with Linux.
	* A memory object can be a standard dma_buf or a contiguous memory range,
	* e.g., tee_shm. A memory object should support one operation: map. When
	* invoked by QTEE, a mapping object is generated. A mapping object supports
	* one operation: unmap.
	*
	* (1) To map a memory object, QTEE invokes the primordial object with
	* %QCOMTEE_OBJECT_OP_MAP_REGION operation; see
	* qcomtee_primordial_obj_dispatch().
	* (2) To unmap a memory object, QTEE releases the mapping object which
	* calls qcomtee_mem_object_release().
	*
	* The map operation is implemented in the primordial object as a privileged
	* operation instead of qcomtee_mem_object_dispatch(). Otherwise, on
	* platforms without shm_bridge, a user can trick QTEE into writing to the
	* kernel memory by passing a user object as a memory object and returning a
	* random physical address as the result of the mapping request.
	*/

	struct qcomtee_mem_object {
	struct qcomtee_object object;
	struct tee_shm *shm;
	/* QTEE requires these felids to be page aligned. */
	phys_addr_t paddr; /* Physical address of range. */
	size_t size; /* Size of the range. */
	};

	#define to_qcomtee_mem_object(o) \
	container_of((o), struct qcomtee_mem_object, object)

	static struct qcomtee_object_operations qcomtee_mem_object_ops;

	/* Is it a memory object using tee_shm? */
	int is_qcomtee_memobj_object(struct qcomtee_object *object)
	{
	return object != NULL_QCOMTEE_OBJECT &&
	typeof_qcomtee_object(object) == QCOMTEE_OBJECT_TYPE_CB &&
	object->ops == &qcomtee_mem_object_ops;
	}

	static int qcomtee_mem_object_dispatch(struct qcomtee_object_invoke_ctx *oic,
	struct qcomtee_object *object, u32 op,
	struct qcomtee_arg *args)
	{
	return -EINVAL;
	}

	static void qcomtee_mem_object_release(struct qcomtee_object *object)
	{
	struct qcomtee_mem_object *mem_object = to_qcomtee_mem_object(object);

	/* Matching get is in qcomtee_memobj_param_to_object(). */
	tee_shm_put(mem_object->shm);
	kfree(mem_object);
	}

	static struct qcomtee_object_operations qcomtee_mem_object_ops = {
	.release = qcomtee_mem_object_release,
	.dispatch = qcomtee_mem_object_dispatch,
	};

	/**
	* qcomtee_memobj_param_to_object() - OBJREF parameter to &struct qcomtee_object.
	* @object: object returned.
	* @param: TEE parameter.
	* @ctx: context in which the conversion should happen.
	*
	* @param is an OBJREF with %QCOMTEE_OBJREF_FLAG_MEM flags.
	*
	* Return: On success return 0 or <0 on failure.
	*/
	int qcomtee_memobj_param_to_object(struct qcomtee_object **object,
	struct tee_param *param,
	struct tee_context *ctx)
	{
	struct qcomtee_mem_object *mem_object __free(kfree) = NULL;
	struct tee_shm *shm;
	int err;

	mem_object = kzalloc(sizeof(*mem_object), GFP_KERNEL);
	if (!mem_object)
	return -ENOMEM;

	shm = tee_shm_get_from_id(ctx, param->u.objref.id);
	if (IS_ERR(shm))
	return PTR_ERR(shm);

	/* mem-object wrapping the memref. */
	err = qcomtee_object_user_init(&mem_object->object,
	QCOMTEE_OBJECT_TYPE_CB,
	&qcomtee_mem_object_ops, "tee-shm-%d",
	shm->id);
	if (err) {
	tee_shm_put(shm);

	return err;
	}

	mem_object->paddr = shm->paddr;
	mem_object->size = shm->size;
	mem_object->shm = shm;

	*object = &no_free_ptr(mem_object)->object;

	return 0;
	}

	/* Reverse what qcomtee_memobj_param_to_object() does. */
	int qcomtee_memobj_param_from_object(struct tee_param *param,
	struct qcomtee_object *object,
	struct tee_context *ctx)
	{
	struct qcomtee_mem_object *mem_object;

	mem_object = to_qcomtee_mem_object(object);
	/* Sure if the memobj is in a same context it is originated from. */
	if (mem_object->shm->ctx != ctx)
	return -EINVAL;

	param->u.objref.id = mem_object->shm->id;
	param->u.objref.flags = QCOMTEE_OBJREF_FLAG_MEM;

	/* Passing shm->id to userspace; drop the reference. */
	qcomtee_object_put(object);

	return 0;
	}

	/**
	* qcomtee_mem_object_map() - Map a memory object.
	* @object: memory object.
	* @map_object: created mapping object.
	* @mem_paddr: physical address of the memory.
	* @mem_size: size of the memory.
	* @perms: QTEE access permissions.
	*
	* Return: On success return 0 or <0 on failure.
	*/
	int qcomtee_mem_object_map(struct qcomtee_object *object,
	struct qcomtee_object *map_object, u64 mem_paddr,
	u64 mem_size, u32 perms)
	{
	struct qcomtee_mem_object *mem_object = to_qcomtee_mem_object(object);

	/* Reuses the memory object as a mapping object by re-sharing it. */
	qcomtee_object_get(&mem_object->object);

	*map_object = &mem_object->object;
	*mem_paddr = mem_object->paddr;
	*mem_size = mem_object->size;
	*perms = QCOM_SCM_PERM_RW;

	return 0;
	}